Did Mexico Drop $5 Million On This 'Unlimited' Uber-Stealth Spy Tech?

Mexicans protest at mobile surveillance of journalists and activists in the country in June 2017. President Enrique Peña Nieto has called for an inquiry into use of an Israeli spy tool called Pegasus, but now it appears a new, even more powerful surveillance tool has been purchased by the country. (Credit: ALFREDO ESTRELLA/AFP/Getty Images)

The revelation was contained in what an anonymous source close claimed was internal sales information from Israeli provider Ability Inc., which appeared to have sold its Unlimited Interception System (ULIN) to Mexico. With prices ranging between $5 and $20 million, ULIN enables silent, almost-undetectable snooping on cellphones, and all that's required is a telephone number, according to a leaked manual detailed by Forbes in 2016.

It comes at a time when Mexico is wrapped up in a spyware scandal. Researchers found this year that activists, journalists, murder victims' attorneys, and investigators into a mass student disappearance have been targeted by the Pegasus spyware, a creation of $1 billion-valued Israeli firm NSO Group. So far no Mexican agency has been accused of running the software. But New York Times' reports were swiftly followed by public protests in June. President Enrique Peña Nieto called for an inquiry (while at the same time denying his government was responsible.) In August, an NSO Group spokesperson said the company was "deeply disturbed by any alleged misuse of our product," but didn't address any of the specific allegations.

Now, adding to the anxiety is ULIN, a technology that allows silent spying on calls, text and location for any mobile phone on the planet. All a potential snooper needs is a target's telephone or IMEI number. Distance from target doesn’t hinder the technology and attacks are incredibly hard to detect, making it potentially more potent than NSO's spyware. ULIN takes advantage of SS7, the vulnerable area of telecom infrastructure used to shift customers between networks when travelling abroad.

"SS7 is the easiest way to spy on mobile users remote, at little cost and small risk of being detected," said Karsten Nohl, a security researcher who first warned about SS7 weaknesses in 2014. "Most mobile networks are still completely vulnerable to SS7 attacks." The most significant difficulty in launching attacks, and one that Ability claims to have overcome, is gaining access to the SS7 network. The company’s CEO Anatoly Hurgin wouldn't disclose how the company acquired that access, only noting that for ULIN to work it required a "physical connection to an SS7 line," which his firm could provide. That's one reason why ULIN surveillance doesn't require any assistance or knowledge on the part of the operator, another big selling point for Ability.

Luis Garcia, director at R3D, an NGO that's helped expose the use of NSO tools in Mexico, said of the potential use of SS7 in Mexico: "It raises the concern that a government authority would want to purchase a tool like this when similar capabilities are already available through the cooperation of telecommunication companies with a judicial warrant… The intention to purchase this type of tool that does not require telco cooperation could indicate an intention to elude the legal process of obtaining a judicial warrant."

"There is an obvious additional concern from the fact that the Mexican government has been shown to systematically target journalists and human rights defenders with surveillance tools."

A $5.1 million sale

As with the Pegasas software, the exact entity that purchased ULIN remains unknown. Hurgin, whose company is dealing with an SEC investigation and class action lawsuits, as well as a severe decline in revenue and stock value, wouldn't discuss Ability customers with Forbes. This publication couldn't independently verify the data disclosed by the source, and enquiries to Mexico's chief intelligence agency, CISEN, and the Policía Federal Ministerial went unreturned.

Listed in a previous Ability press release, however, is one ULIN buyer based in an unnamed Latin American country. Commenting as Ability released its 2016 third quarter results, Hurgin said: "We recognized approximately $400,000 for this $5.1 million sale in the third quarter and expect to recognize approximately $1.3 million each of the next three quarters and approximately $800,000 in the third quarter of 2017."

Mexico bought more than ULIN, according to the Ability sales data Forbes received from the anonymous source. The unnamed entity spent as much as $42 million on various Ability surveillance technologies, all designed to intercept communications over telecoms networks, according to the data. The shopping list included Touchdown, which, according to a Reuters information sheet on the company, is an "interception, location and monitoring solution" for 3G cellphone connections, and the In-Between Interception System (IBIS), a similar tool for 2G. Also listed was 3G-Cat, which downgrades connections from 3G to 2G, the latter being easier to surveil due to weaker encryption. Ability currently advertises on its website an updated version of that product called GoDown, which the firm claims can degrade 4G to 2G.

"The sale of ever more surveillance capabilities ... raises huge concerns about how these capabilities will be used, especially as the [ULIN] capability allows for direct access without the active role of the telecommunications operator," Edin Omanovic, head of Privacy International's state surveillance program, told Forbes. "It is essential that the Mexican government comes clean about what technology is being used and on what legal basis."

American anxiety over SS7

If Ability did sell ULIN to Mexico as the data shows, it marks the first-known purchase of any kind of SS7 surveillance technology by any government, though Ability does have rivals in this space, including two other Israeli surveillance companies: Rayzone and Verint. All other sales have been kept entirely hidden from public view, until now.

And SS7 vulnerabilities are an international concern. U.S. Sen. Ron Wyden (D-Ore) announced in August that the intelligence community would produce a report on whether SS7 vulnerabilities were being exploited by foreign governments for surveillance of Americans. Wyden, together with California state congressman Ted Lieu (D-Torrance), called on the FCC to force network carriers to take action.

Until telecoms providers introduce the adequate network firewalls, SS7 surveillance remains one of the most potent tools in intelligence and law enforcement agencies' snooping arsenals. "It is astonishing that the telecommunications industry, standards bodies and regulatory agencies have allowed such a massive threat to people’s privacy to be exploited for so long, " Privacy International's Omanovic told Forbes.

"Unless this begins to be taken seriously, these vulnerabilities will inevitably be exploited not just by for-profit surveillance companies, but also by foreign state hackers and criminals. The fact that Ability claims its product can be used to exploit any network in the world should be a wake up call for urgent action by governments who care about protecting their citizens against surveillance by foreign agencies."